ICANN to reopen applications for new top-level domains

By William Jackson

May 10, 2012

The Internet Corporation for Assigned Names and Numbers says it will reopen its Web-based application system for new generic top-level domains for one week beginning May 22 after more than a month offline and will offer full refunds to applicants who want to withdraw from the process.

ICANN, the nonprofit corporation that oversees the Internet’s Domain Name System under an agreement with the Commerce Department, has notified more than 1,200 system users whether their information was exposed by the glitch that in some cases let other users see file names or user names of other applicants. The problem, which was first discovered in March, caused the TLD Application System to be taken offline in April.

“The large majority of users are unaffected by the glitch,” ICANN said in its announcement. “We continue to review the extensive database of system logs and system traffic, and any new and relevant information that emerges from this analysis will be shared with applicants in a timely way.”

The organization said it is possible that some of those notified have not been affected but that the notice was provided “out of an abundance of caution.”

ICANN in June 2011 approved a controversial program to expand the number of top-level domains, the suffixes on URLs and e-mail addresses that appear to the right of the final dot in the address. It opened a three-month window for filing applications through its online TLD Application System on Jan. 12. The TAS went offline April 12, which was supposed to be the filing deadline.

The problem does not appear to have been caused by malicious activity, said ICANN Chief Security Officer Jeff Moss. It occurred when deletion of application material was handled improperly by the software, which in some cases could expose the user name of other applicants and file names to system users. No data from the files themselves was exposed, he said.

The security of the TAS is important because of sensitive personal and business information that could be included in applications and because of the investment required for applying. There is a $5,000 fee for registering to use the system and a $180,000 fee for each application. ICANN has agreed to refund the fees to anyone wishing to withdraw an application before the publication of the list of applied-for new top-level domain names.

At the time the system was shut down, there had been 2,091 applications submitted or in progress, for which ICANN had received about $350 million in fees, it said.

The system is expected to reopen May 22 and remain open for five business days, closing again May 30. This schedule takes into account the Memorial Day holiday on May 28 in the United States. No date has yet been announced for publication of new generic TLD names that have been applied for. Because of the expected high volumes of traffic when the system reopens, ICANN has used the downtime to enhance its performance.

ICANN sent e-mail notifications to 1,275 registered users of the system. Of those, 1,163 had not been affected by the problem. Seventy-two users were told that file names and/or user names in their applications might have been exposed, 30 were told they might have improperly seen this information, and 10 were told they might both have seen information from others and had some information of their own exposed.

Those who might have been affected were told which information was exposed and assured that there is no evidence that anyone was able to view the contents of or download the attachments. Those who might have seen file or user names were warned that the information is confidential and should not be acted on.